Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-28601 PoC — Moodle和Darwin Factor 安全漏洞

Source
https://github.com/FlaviuPopescu/CVE-2022-28601
Associated Vulnerability
Title:Moodle和Darwin Factor 安全漏洞 (CVE-2022-28601)
Description:A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism.
Description
A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA  Plugin for Moodle" by LMS Doctor
Readme
# CVE-2022-28601

A Two-Factor Authentication (2FA) bypass vulnerability in "Simple 2FA  Plugin for Moodle" by LMS Doctor

Vulnerability Details

Risk : Medium

Vendor: [LMS Doctor - Simple 2 Factor Authentication Plugin For Moodle](https://www.lmsdoctor.com/simple-2-factor-authentication-plugin-for-moodle)

Disclosed by: [Flaviu Popescu](https://flaviu.io)

Description:
Two-Factor Authentication Bypass vulnerability in The Simple 2FA Plugin for Moodle, by "LMS Doctor" allows attackers to overwrite the phone number attached to an account.
Thus allowing them to bypass the second stage of the verification.

Proof of concept:
The example below shows the initial login process using a self-registered account.

POST /login/index.php

![image](https://user-images.githubusercontent.com/62330554/167459894-74467c2c-90ed-4f82-86f5-f90a72b44125.png)

After entering their username and password, the website sends the account owner a six-digit code to their mobile device, as shown below:

POST /auth/simple2fa/confirm.php

![image](https://user-images.githubusercontent.com/62330554/167459999-1ac7edda-d766-41f7-a92b-4bd1e595cb9d.png)

If an attacker then force browses to the following URL instead of providing the 2FA code, they are able to update the phone number registered to the account.

POST /auth/simple2fa/profile.php

![image](https://user-images.githubusercontent.com/62330554/167460043-69fd154b-b7d4-4b49-9c0b-ae37be249dca.png)

A new phone number belonging to the attacker is added to the account. The login process is then repeated, but this time the six-digit pin code will be received on the attacker's device.
The newly generated six-digit pin code is then passed into the 2FA authentication portal which now shows the attacker's phone number.

POST /auth/simple2fa/confirm.php

![image](https://user-images.githubusercontent.com/62330554/167460094-03585336-93e7-41a6-a6ca-7773dbe1dab8.png)

The attacker is then granted access to the website effectively bypassing the second stage of the authentication process.
File Snapshot

 [4.0K]  /data/pocs/56ac30746cad505c783186c918c63fe077eaf844
└── [2.0K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →